VIST Turns to Proofpoint to Update Email Security

Faced with the discontinuation of its e-mail security system, VIST Financial (formerly Leesport Financial) took the opportunity to step up its capabilities. "As we neared completion of a post-acquisition unification process, ... we learned of our existing anti-spam filter's demise in early 2007," recalls Jack McLaine, VP and IT manager of the Wyomissing, Pa.-based bank. He notes that as a result of acquisitions, VIST was supporting thousands of applications on about 100 servers running Windows, Linux and Novell. "We began searching for a more advanced, policy-based alternative that would meet new regulatory and competitive requirements."

In mid-2007, VIST ($1.2 billion in total assets) narrowed its options to three potential vendors. Of those, McLaine explains, two exceeded minimum requirements. "One was a Symantec [Cupertino, Calif.] solution, which had the lowest base price," he says. "But it meant licensing and supporting another Microsoft [Redmond, Wash.] server, along with the incumbent overhead."

The other option, a purpose-built Messaging Security Gateway appliance from San Jose, Calif.-based Proofpoint, proved a better fit, according to McLaine. "We weren't specifically looking for an appliance," he comments. "However, the integration, management and complexity costs of software-based solutions significantly added to their ownership price. It also cost more to expand capabilities to meet changing needs. In addition to offering lower ownership and expansion costs, Proofpoint ... representatives worked with us to include capabilities not otherwise part of the basic unit."

By September 2007, VIST began developing a deployment strategy. "Since communicating via encrypted e-mails would be an adjustment not only for our 500 employees but also thousands of account holders, we formed a cross-functional team with heavy marketing involvement," McLaine says. "We also spoke with peer banks about their experiences."

Since the systems-unification process included a rebranding of the bank, deployment was split into an internal pilot followed by an enterprisewide rollout that would coincide with the rebranding. "The pilot involved 50 internal users who managed high-impact commercial accounts," states McLaine. "We positioned encrypted e-mail to banking customers as a safeguard for them, rather than as a regulatory compliance issue for us."

When the appliance arrived in early October 2007, initial setup took about an hour. "Prior to receiving the unit, we had submitted drawings of our existing infrastructure to Proofpoint followed by a conference call with technical support," McLaine notes. "Thus, when the unit arrived, configuring it and related existing systems was already mapped out."

VIST briefly ran the appliance in "monitor mode" to hone the rules, switching it to active mode for the pilot in early November. After further fine-tuning, the enterprisewide deployment in March 2008 went smoothly, according to McLaine. "Our advance planning and communications outreach really paid off," he says.

Indeed, rewards quickly mounted. "Beyond the regulatory and competitive benefits, we've gained control over corporate assets, such as quarantining press releases," reports McLaine. "In IT, malicious threat blocking dramatically reduced e-mail volume, allowing us to consolidate enterprise post offices from 18 to two. Less volume also streamlines archiving -- what previously took two days now takes two hours. ... And, with less malware, we're no longer re-imaging someone's desktop every week."

Altogether, the gains slashed overhead for VIST's five-person IT department. "Since we're not putting out mail fires, we're wringing out system efficiencies and leveraging other technologies ... to further economize," McLaine notes.